The Certegy Data Misappropriation Case

Introduction

Created in 2001, Certegy sought to empower check users by insuring checks written to merchants. Certegy did not use credit or bank records, instead Certegy’s algorithm used artificial intelligence to predict whether a check would bounce. A merchant who subscribed to Certegy’s check verification service would enter the check information and would receive notification as to whether this check was insured by Certegy. If the check was insured and bounced, Certegy reimbursed the merchant. The system was far from perfect; many customers had $10 checks declined with $100,000 in their bank accounts. Often, the reason was that no significant history had been established by the check writer.

On July 3, 2007, Certegy announced that one of its employees had misappropriated 8.4 million records over a five-year period and sold that data to marketers. A class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen. All that Certegy is required to pay under the terms of the settlement are the legal fees and credit and bank monitoring fees for members of the class, amounting to less than $5 million.

Was Certegy guilty of any crime?

What has crime to do
with it? Do you mean, are they civilly liable? Or are you actually
raising a question of criminal liability, and on what basis?

If so, what crime? Was there negligence on their part?

Are you asking about the facts, or do you mean is negligence the relevant standard of care, or are you asking whether res ipsa loquitur when customer financial data is misappropriated by employees?

Most importantly, were there any damages?

Do you mean how does one
prove actual harm in particular cases from identity theft, or that
the mere creation of a risk without the occurrence of a fraud causes
no harm?

Discussion

1. Was there any violation of law when the data was sold to marketers?

Surprisingly, there is no single source of privacy rights in the U.S. governing personal information in privately owned computer data banks. Instead, there is an extensive patchwork quilt of federal and state laws governing personal privacy. In 1999, President Clinton signed into law the Financial Services Modernization Act (otherwise known as the Gramm-Leach-Bliley Act). The act requires that financial institutions may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given clear notice of this possibility, and an opportunity to opt out of such disclosures before they occur.

Is a check writer a consumer of Certegy’s service? Technically, the merchant is Certegy's consumer; a contract exists between Macy’s and Certegy, not between John Doe and Certegy. Nevertheless, it is logical to assume that John Doe is also a consumer of Certegy’s product. John directly benefits from Certegy's service in that the merchant is now willing to accept his checks.

But this isn't the
question unless the point is that only a regulatory liability could
have created a duty of care to the merchant or its
customers.

2. Was Certegy negligent?

Although the intrusion was not an external one, Certegy was negligent on two counts. First, there was no need for any data to be stored on Certegy’s computers. Certegy’s algorithm based its decision on a number of factors, none of which had anything to do with this specific check writer’s history with Certegy. Thus, John Doe, a first time Certegy user, has the same chances of having his check approved as Jane Doe, a frequent check writing Certegy customer. The act of storing the information is per se negligent because Certegy should have anticipated that data might be misappropriated. The rebuttal to this argument – the data was saved automatically through no affirmative action of Certegy – is both weak and fatalistic. Computers do as they are told; if Certegy’s computers saved the data, that is because their programming told them to do so.

Second, Certegy was negligent by giving the keys to the kingdom to its employees. Although their network was secure from external threats, perhaps the overemphasis on external security caused them to neglect guarding against internal theft. Certegy should have ensured that a system of checks and balances existed. No one person should have had access to this data without oversight by some committee. The system Certegy had in place was insecure and was begging to be compromised.

I don't understand how
or why one would come to a conclusion about negligence on a partial
evaluation of some of the facts. And I don't know why this is the
standard of inquiry.

3. What damages occurred?

In Smith v. Chase Manhattan Bank, the court held that misappropriated data used to offer products and services to class members which they were free to decline, did not qualify as harm. Moreover, no harm exists where a class member cannot prove that he suffered actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.

Although at first glance the Certegy case seems similar to Chase, a closer look distinguishes it from Chase. In Certegy, the data was sold to a company who in turn sold this data to other marketing firms that were being investigated by the FTC for marketing and telemarketing fraud. One of the companies was running a scam with the data it received where they would contact consumers with a compelling offer for some largely worthless gifts in exchange for accepting a free trial in a discount-shopping club. After tricking the consumers into providing their bank account numbers, the company would make unauthorized debits.

Surely this just proves
how pointless it is to keep asking these rhetorical questions of the
reader about a case in which no facts are known until you pull them
like rabbits from your hat.

In Forbes v. Wells Fargo Bank, although the court found that the personal time and money spent by the class in monitoring their financial accounts against potential loss due to data misappropriation "was not the result of any present injury, but rather the anticipation of future injury that has not materialized", using the argument mentioned above, it would seem that the Certegy data theft was a ‘present injury’ unlike the future injury in Forbes. In the Certegy case, the data had been delivered to unscrupulous marketing corporations who used the data for their nefarious schemes. A possibility exists that these firms may in turn pass along this sensitive data to others who might attempt to take out bank loans or open credit cards with this information. Thus, the affected class members are not simply taking steps to avoid future injury; they were aware of a clear and present danger and are therefore entitled to seek reimbursement for their damages from defendant Certegy.

Why is all this talk
relevant to the discussion of a settlement. Are we supposed to have
been deciding whether to bet on the favorite or the long shot?

Conclusion

Although no actual financial fraud took place as a direct result of the data misappropriation, had this case gone to trial, Certegy would have been found to have negligently violated the Financial Services Modernization Act.

Navigation

This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.